Analysis
-
max time kernel
34s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/04/2025, 11:52
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe
-
Size
1016KB
-
MD5
bdee5e351d4080f6d88d3fb9c6c09c60
-
SHA1
f8b229a69b7b932ffb0ac6d71aec90137c583a18
-
SHA256
04d3522972566a2b189144c86441058f1af5641a67cdaf39e246f91ba23bf5c5
-
SHA512
35c3b392784ac85f9794e1eb75d55e9d651e2f13782175791eeb07fef86f5360f681e3e0be9d8fe0c6b1495ed4edd07e6eaec2f2c46c5026faa812fb0858842b
-
SSDEEP
6144:AIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUzx84a2lXUW:AIXsgtvm1De5YlOx6lzBH46Uzf7lXUW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gwijnolzqgs.exe -
Pykspa family
-
UAC bypass 3 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x001500000002ac99-4.dat family_pykspa behavioral2/files/0x001900000002b0f5-87.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 62 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "bzlmgaypnvvrcqbigusef.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "bzlmgaypnvvrcqbigusef.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "yryujyrdwzulragi.exe" mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "zvfewokzvbztcoxcykg.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojsqhythchexfqycxi.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "ojsqhythchexfqycxi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "mjuungdtqxwrboyebolw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "fzheukerlpldkubey.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjuungdtqxwrboyebolw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "fzheukerlpldkubey.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjuungdtqxwrboyebolw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjuungdtqxwrboyebolw.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "fzheukerlpldkubey.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "mjuungdtqxwrboyebolw.exe" mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzlmgaypnvvrcqbigusef.exe" mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "fzheukerlpldkubey.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvfewokzvbztcoxcykg.exe" mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "ojsqhythchexfqycxi.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "mjuungdtqxwrboyebolw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzheukerlpldkubey.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe" mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzlmgaypnvvrcqbigusef.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "mjuungdtqxwrboyebolw.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjuungdtqxwrboyebolw.exe" mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzlmgaypnvvrcqbigusef.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "bzlmgaypnvvrcqbigusef.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzheukerlpldkubey.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "fzheukerlpldkubey.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "fzheukerlpldkubey.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "fzheukerlpldkubey.exe" mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "yryujyrdwzulragi.exe" mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzlmgaypnvvrcqbigusef.exe" mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzlmgaypnvvrcqbigusef.exe" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzheukerlpldkubey.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjuungdtqxwrboyebolw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qhmgtgxhyzshls = "mjuungdtqxwrboyebolw.exe" mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\thjakuipdbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzheukerlpldkubey.exe" mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gwijnolzqgs.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mvsejo.exe Set value (int) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gwijnolzqgs.exe Set value (int) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mvsejo.exe Set value (int) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mvsejo.exe -
Executes dropped EXE 64 IoCs
pid Process 4832 gwijnolzqgs.exe 2928 ojsqhythchexfqycxi.exe 5348 bzlmgaypnvvrcqbigusef.exe 700 gwijnolzqgs.exe 3528 bzlmgaypnvvrcqbigusef.exe 2300 gwijnolzqgs.exe 2160 yryujyrdwzulragi.exe 3640 bzlmgaypnvvrcqbigusef.exe 2040 yryujyrdwzulragi.exe 2016 ojsqhythchexfqycxi.exe 3532 bzlmgaypnvvrcqbigusef.exe 2460 gwijnolzqgs.exe 1656 gwijnolzqgs.exe 1588 mvsejo.exe 2220 mvsejo.exe 5284 fzheukerlpldkubey.exe 3400 fzheukerlpldkubey.exe 5388 zvfewokzvbztcoxcykg.exe 4808 zvfewokzvbztcoxcykg.exe 3684 gwijnolzqgs.exe 4048 gwijnolzqgs.exe 5404 fzheukerlpldkubey.exe 5876 fzheukerlpldkubey.exe 2020 fzheukerlpldkubey.exe 2340 fzheukerlpldkubey.exe 5716 mjuungdtqxwrboyebolw.exe 2992 fzheukerlpldkubey.exe 848 gwijnolzqgs.exe 6088 fzheukerlpldkubey.exe 6112 bzlmgaypnvvrcqbigusef.exe 2024 bzlmgaypnvvrcqbigusef.exe 2816 gwijnolzqgs.exe 2312 zvfewokzvbztcoxcykg.exe 4908 gwijnolzqgs.exe 4228 gwijnolzqgs.exe 3992 yryujyrdwzulragi.exe 5936 ojsqhythchexfqycxi.exe 4676 gwijnolzqgs.exe 3864 bzlmgaypnvvrcqbigusef.exe 4876 zvfewokzvbztcoxcykg.exe 4380 bzlmgaypnvvrcqbigusef.exe 4232 ojsqhythchexfqycxi.exe 1736 bzlmgaypnvvrcqbigusef.exe 3640 gwijnolzqgs.exe 5928 gwijnolzqgs.exe 2040 gwijnolzqgs.exe 3980 mjuungdtqxwrboyebolw.exe 4348 yryujyrdwzulragi.exe 6004 gwijnolzqgs.exe 3532 ojsqhythchexfqycxi.exe 2256 bzlmgaypnvvrcqbigusef.exe 5616 bzlmgaypnvvrcqbigusef.exe 4492 gwijnolzqgs.exe 2028 yryujyrdwzulragi.exe 1028 gwijnolzqgs.exe 2640 fzheukerlpldkubey.exe 5620 ojsqhythchexfqycxi.exe 4420 gwijnolzqgs.exe 4256 zvfewokzvbztcoxcykg.exe 748 ojsqhythchexfqycxi.exe 4432 yryujyrdwzulragi.exe 5668 gwijnolzqgs.exe 6092 ojsqhythchexfqycxi.exe 5632 bzlmgaypnvvrcqbigusef.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power mvsejo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys mvsejo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc mvsejo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager mvsejo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys mvsejo.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc mvsejo.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "zvfewokzvbztcoxcykg.exe ." mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojsqhythchexfqycxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojsqhythchexfqycxi.exe" mvsejo.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvfewokzvbztcoxcykg.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfialwltihyl = "mjuungdtqxwrboyebolw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojsqhythchexfqycxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvfewokzvbztcoxcykg.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfialwltihyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojsqhythchexfqycxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjuungdtqxwrboyebolw.exe" mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "mjuungdtqxwrboyebolw.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfialwltihyl = "fzheukerlpldkubey.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fzheukerlpldkubey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "zvfewokzvbztcoxcykg.exe ." mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "zvfewokzvbztcoxcykg.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fzheukerlpldkubey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzheukerlpldkubey.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yryujyrdwzulragi = "zvfewokzvbztcoxcykg.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojsqhythchexfqycxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjuungdtqxwrboyebolw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fzheukerlpldkubey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojsqhythchexfqycxi.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yryujyrdwzulragi = "bzlmgaypnvvrcqbigusef.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tlrmaogrjlfvain = "ojsqhythchexfqycxi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tlrmaogrjlfvain = "fzheukerlpldkubey.exe" mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fzheukerlpldkubey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzlmgaypnvvrcqbigusef.exe ." mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "yryujyrdwzulragi.exe ." mvsejo.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tlrmaogrjlfvain = "bzlmgaypnvvrcqbigusef.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfialwltihyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvfewokzvbztcoxcykg.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjuungdtqxwrboyebolw.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "bzlmgaypnvvrcqbigusef.exe ." mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "fzheukerlpldkubey.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tlrmaogrjlfvain = "yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yryujyrdwzulragi = "fzheukerlpldkubey.exe ." mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfialwltihyl = "mjuungdtqxwrboyebolw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "ojsqhythchexfqycxi.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfialwltihyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzlmgaypnvvrcqbigusef.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojsqhythchexfqycxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojsqhythchexfqycxi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojsqhythchexfqycxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "fzheukerlpldkubey.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fzheukerlpldkubey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzheukerlpldkubey.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojsqhythchexfqycxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojsqhythchexfqycxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjuungdtqxwrboyebolw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojsqhythchexfqycxi.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fzheukerlpldkubey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvfewokzvbztcoxcykg.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzheukerlpldkubey.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfialwltihyl = "bzlmgaypnvvrcqbigusef.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bzlmgaypnvvrcqbigusef.exe ." mvsejo.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yryujyrdwzulragi = "bzlmgaypnvvrcqbigusef.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fzheukerlpldkubey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzheukerlpldkubey.exe ." mvsejo.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfialwltihyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojsqhythchexfqycxi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fzheukerlpldkubey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojsqhythchexfqycxi.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "zvfewokzvbztcoxcykg.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojsqhythchexfqycxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe" mvsejo.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfialwltihyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvfewokzvbztcoxcykg.exe" mvsejo.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfialwltihyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzheukerlpldkubey.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\tlrmaogrjlfvain = "yryujyrdwzulragi.exe" mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fzheukerlpldkubey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjuungdtqxwrboyebolw.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojsqhythchexfqycxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzheukerlpldkubey.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojsqhythchexfqycxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojsqhythchexfqycxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvfewokzvbztcoxcykg.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "ojsqhythchexfqycxi.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfialwltihyl = "yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfialwltihyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\Run\qfialwltihyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjuungdtqxwrboyebolw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzheukerlpldkubey.exe ." mvsejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fzheukerlpldkubey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yryujyrdwzulragi.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfjcoaqzpphvy = "mjuungdtqxwrboyebolw.exe ." gwijnolzqgs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ojsqhythchexfqycxi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjuungdtqxwrboyebolw.exe" gwijnolzqgs.exe Set value (str) \REGISTRY\USER\S-1-5-21-649025904-2769175349-3954215257-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yryujyrdwzulragi = "bzlmgaypnvvrcqbigusef.exe ." gwijnolzqgs.exe -
Checks whether UAC is enabled 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mvsejo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mvsejo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mvsejo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" mvsejo.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 whatismyipaddress.com 2 www.whatismyip.ca 1 whatismyip.everdot.org 1 www.showmyipaddress.com -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fzheukerlpldkubey.exe mvsejo.exe File opened for modification C:\Windows\SysWOW64\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\zvfewokzvbztcoxcykg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\sregbwvnmvwtfugoncboql.exe mvsejo.exe File opened for modification C:\Windows\SysWOW64\zvfewokzvbztcoxcykg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\mjuungdtqxwrboyebolw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\yryujyrdwzulragi.exe mvsejo.exe File opened for modification C:\Windows\SysWOW64\zvfewokzvbztcoxcykg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\mjuungdtqxwrboyebolw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ojsqhythchexfqycxi.exe mvsejo.exe File created C:\Windows\SysWOW64\yryujyrdwzulragibkdkgvkdpilgxdmsunwpws.wpb mvsejo.exe File opened for modification C:\Windows\SysWOW64\ojsqhythchexfqycxi.exe mvsejo.exe File opened for modification C:\Windows\SysWOW64\zvfewokzvbztcoxcykg.exe mvsejo.exe File opened for modification C:\Windows\SysWOW64\bzlmgaypnvvrcqbigusef.exe mvsejo.exe File opened for modification C:\Windows\SysWOW64\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\mjuungdtqxwrboyebolw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\zvfewokzvbztcoxcykg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\yryujyrdwzulragi.exe mvsejo.exe File opened for modification C:\Windows\SysWOW64\fzheukerlpldkubey.exe mvsejo.exe File opened for modification C:\Windows\SysWOW64\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\sregbwvnmvwtfugoncboql.exe mvsejo.exe File opened for modification C:\Windows\SysWOW64\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\mjuungdtqxwrboyebolw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\mjuungdtqxwrboyebolw.exe mvsejo.exe File opened for modification C:\Windows\SysWOW64\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\zvfewokzvbztcoxcykg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\zvfewokzvbztcoxcykg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\mjuungdtqxwrboyebolw.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\zvfewokzvbztcoxcykg.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File created C:\Windows\SysWOW64\bjfquyghphrxsqlckiqmxbfnowo.ezx mvsejo.exe File opened for modification C:\Windows\SysWOW64\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\SysWOW64\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\bjfquyghphrxsqlckiqmxbfnowo.ezx mvsejo.exe File created C:\Program Files (x86)\bjfquyghphrxsqlckiqmxbfnowo.ezx mvsejo.exe File opened for modification C:\Program Files (x86)\yryujyrdwzulragibkdkgvkdpilgxdmsunwpws.wpb mvsejo.exe File created C:\Program Files (x86)\yryujyrdwzulragibkdkgvkdpilgxdmsunwpws.wpb mvsejo.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe File created C:\Windows\yryujyrdwzulragibkdkgvkdpilgxdmsunwpws.wpb mvsejo.exe File opened for modification C:\Windows\zvfewokzvbztcoxcykg.exe gwijnolzqgs.exe File opened for modification C:\Windows\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe File opened for modification C:\Windows\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\fzheukerlpldkubey.exe gwijnolzqgs.exe File created C:\Windows\bjfquyghphrxsqlckiqmxbfnowo.ezx mvsejo.exe File opened for modification C:\Windows\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe File opened for modification C:\Windows\mjuungdtqxwrboyebolw.exe gwijnolzqgs.exe File opened for modification C:\Windows\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\zvfewokzvbztcoxcykg.exe gwijnolzqgs.exe File opened for modification C:\Windows\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe File opened for modification C:\Windows\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\zvfewokzvbztcoxcykg.exe gwijnolzqgs.exe File opened for modification C:\Windows\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\mjuungdtqxwrboyebolw.exe gwijnolzqgs.exe File opened for modification C:\Windows\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\yryujyrdwzulragi.exe mvsejo.exe File opened for modification C:\Windows\zvfewokzvbztcoxcykg.exe gwijnolzqgs.exe File opened for modification C:\Windows\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\zvfewokzvbztcoxcykg.exe gwijnolzqgs.exe File opened for modification C:\Windows\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\zvfewokzvbztcoxcykg.exe mvsejo.exe File opened for modification C:\Windows\sregbwvnmvwtfugoncboql.exe mvsejo.exe File opened for modification C:\Windows\mjuungdtqxwrboyebolw.exe gwijnolzqgs.exe File opened for modification C:\Windows\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe File opened for modification C:\Windows\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe File opened for modification C:\Windows\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\ojsqhythchexfqycxi.exe gwijnolzqgs.exe File opened for modification C:\Windows\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe File opened for modification C:\Windows\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\mjuungdtqxwrboyebolw.exe gwijnolzqgs.exe File opened for modification C:\Windows\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\mjuungdtqxwrboyebolw.exe gwijnolzqgs.exe File opened for modification C:\Windows\mjuungdtqxwrboyebolw.exe gwijnolzqgs.exe File opened for modification C:\Windows\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\zvfewokzvbztcoxcykg.exe gwijnolzqgs.exe File opened for modification C:\Windows\mjuungdtqxwrboyebolw.exe gwijnolzqgs.exe File opened for modification C:\Windows\yryujyrdwzulragi.exe gwijnolzqgs.exe File opened for modification C:\Windows\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\fzheukerlpldkubey.exe gwijnolzqgs.exe File opened for modification C:\Windows\sregbwvnmvwtfugoncboql.exe gwijnolzqgs.exe File opened for modification C:\Windows\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe File opened for modification C:\Windows\yryujyrdwzulragi.exe mvsejo.exe File opened for modification C:\Windows\mjuungdtqxwrboyebolw.exe mvsejo.exe File opened for modification C:\Windows\bzlmgaypnvvrcqbigusef.exe gwijnolzqgs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bzlmgaypnvvrcqbigusef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bzlmgaypnvvrcqbigusef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mjuungdtqxwrboyebolw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fzheukerlpldkubey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fzheukerlpldkubey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yryujyrdwzulragi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvfewokzvbztcoxcykg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mjuungdtqxwrboyebolw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yryujyrdwzulragi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mjuungdtqxwrboyebolw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojsqhythchexfqycxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fzheukerlpldkubey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mjuungdtqxwrboyebolw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojsqhythchexfqycxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bzlmgaypnvvrcqbigusef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvfewokzvbztcoxcykg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yryujyrdwzulragi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojsqhythchexfqycxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvfewokzvbztcoxcykg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bzlmgaypnvvrcqbigusef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojsqhythchexfqycxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yryujyrdwzulragi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fzheukerlpldkubey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bzlmgaypnvvrcqbigusef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvfewokzvbztcoxcykg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mjuungdtqxwrboyebolw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fzheukerlpldkubey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvfewokzvbztcoxcykg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvfewokzvbztcoxcykg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fzheukerlpldkubey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fzheukerlpldkubey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojsqhythchexfqycxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mjuungdtqxwrboyebolw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mjuungdtqxwrboyebolw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yryujyrdwzulragi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fzheukerlpldkubey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojsqhythchexfqycxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mjuungdtqxwrboyebolw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvfewokzvbztcoxcykg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fzheukerlpldkubey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mjuungdtqxwrboyebolw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvfewokzvbztcoxcykg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fzheukerlpldkubey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fzheukerlpldkubey.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yryujyrdwzulragi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yryujyrdwzulragi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvfewokzvbztcoxcykg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zvfewokzvbztcoxcykg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bzlmgaypnvvrcqbigusef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yryujyrdwzulragi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yryujyrdwzulragi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojsqhythchexfqycxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mjuungdtqxwrboyebolw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yryujyrdwzulragi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bzlmgaypnvvrcqbigusef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojsqhythchexfqycxi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bzlmgaypnvvrcqbigusef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mvsejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yryujyrdwzulragi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yryujyrdwzulragi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bzlmgaypnvvrcqbigusef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yryujyrdwzulragi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ojsqhythchexfqycxi.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2220 mvsejo.exe 2220 mvsejo.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2220 mvsejo.exe 2220 mvsejo.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2220 mvsejo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 4832 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 906 PID 2124 wrote to memory of 4832 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 906 PID 2124 wrote to memory of 4832 2124 JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe 906 PID 5932 wrote to memory of 2928 5932 cmd.exe 745 PID 5932 wrote to memory of 2928 5932 cmd.exe 745 PID 5932 wrote to memory of 2928 5932 cmd.exe 745 PID 3864 wrote to memory of 5348 3864 cmd.exe 553 PID 3864 wrote to memory of 5348 3864 cmd.exe 553 PID 3864 wrote to memory of 5348 3864 cmd.exe 553 PID 5348 wrote to memory of 700 5348 bzlmgaypnvvrcqbigusef.exe 764 PID 5348 wrote to memory of 700 5348 bzlmgaypnvvrcqbigusef.exe 764 PID 5348 wrote to memory of 700 5348 bzlmgaypnvvrcqbigusef.exe 764 PID 4232 wrote to memory of 3528 4232 cmd.exe 95 PID 4232 wrote to memory of 3528 4232 cmd.exe 95 PID 4232 wrote to memory of 3528 4232 cmd.exe 95 PID 3528 wrote to memory of 2300 3528 bzlmgaypnvvrcqbigusef.exe 550 PID 3528 wrote to memory of 2300 3528 bzlmgaypnvvrcqbigusef.exe 550 PID 3528 wrote to memory of 2300 3528 bzlmgaypnvvrcqbigusef.exe 550 PID 4352 wrote to memory of 2160 4352 cmd.exe 1148 PID 4352 wrote to memory of 2160 4352 cmd.exe 1148 PID 4352 wrote to memory of 2160 4352 cmd.exe 1148 PID 4376 wrote to memory of 3640 4376 cmd.exe 105 PID 4376 wrote to memory of 3640 4376 cmd.exe 105 PID 4376 wrote to memory of 3640 4376 cmd.exe 105 PID 2272 wrote to memory of 3532 2272 cmd.exe 958 PID 2272 wrote to memory of 3532 2272 cmd.exe 958 PID 2272 wrote to memory of 3532 2272 cmd.exe 958 PID 492 wrote to memory of 2040 492 cmd.exe 188 PID 492 wrote to memory of 2040 492 cmd.exe 188 PID 492 wrote to memory of 2040 492 cmd.exe 188 PID 5768 wrote to memory of 2016 5768 cmd.exe 866 PID 5768 wrote to memory of 2016 5768 cmd.exe 866 PID 5768 wrote to memory of 2016 5768 cmd.exe 866 PID 2016 wrote to memory of 2460 2016 ojsqhythchexfqycxi.exe 110 PID 2016 wrote to memory of 2460 2016 ojsqhythchexfqycxi.exe 110 PID 2016 wrote to memory of 2460 2016 ojsqhythchexfqycxi.exe 110 PID 3532 wrote to memory of 1656 3532 bzlmgaypnvvrcqbigusef.exe 1150 PID 3532 wrote to memory of 1656 3532 bzlmgaypnvvrcqbigusef.exe 1150 PID 3532 wrote to memory of 1656 3532 bzlmgaypnvvrcqbigusef.exe 1150 PID 4832 wrote to memory of 1588 4832 gwijnolzqgs.exe 112 PID 4832 wrote to memory of 1588 4832 gwijnolzqgs.exe 112 PID 4832 wrote to memory of 1588 4832 gwijnolzqgs.exe 112 PID 4832 wrote to memory of 2220 4832 gwijnolzqgs.exe 113 PID 4832 wrote to memory of 2220 4832 gwijnolzqgs.exe 113 PID 4832 wrote to memory of 2220 4832 gwijnolzqgs.exe 113 PID 1112 wrote to memory of 5284 1112 cmd.exe 116 PID 1112 wrote to memory of 5284 1112 cmd.exe 116 PID 1112 wrote to memory of 5284 1112 cmd.exe 116 PID 2604 wrote to memory of 3400 2604 cmd.exe 602 PID 2604 wrote to memory of 3400 2604 cmd.exe 602 PID 2604 wrote to memory of 3400 2604 cmd.exe 602 PID 468 wrote to memory of 5388 468 cmd.exe 122 PID 468 wrote to memory of 5388 468 cmd.exe 122 PID 468 wrote to memory of 5388 468 cmd.exe 122 PID 1640 wrote to memory of 4808 1640 cmd.exe 125 PID 1640 wrote to memory of 4808 1640 cmd.exe 125 PID 1640 wrote to memory of 4808 1640 cmd.exe 125 PID 5388 wrote to memory of 3684 5388 zvfewokzvbztcoxcykg.exe 607 PID 5388 wrote to memory of 3684 5388 zvfewokzvbztcoxcykg.exe 607 PID 5388 wrote to memory of 3684 5388 zvfewokzvbztcoxcykg.exe 607 PID 4808 wrote to memory of 4048 4808 zvfewokzvbztcoxcykg.exe 129 PID 4808 wrote to memory of 4048 4808 zvfewokzvbztcoxcykg.exe 129 PID 4808 wrote to memory of 4048 4808 zvfewokzvbztcoxcykg.exe 129 PID 1944 wrote to memory of 5404 1944 cmd.exe 134 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mvsejo.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" mvsejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gwijnolzqgs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gwijnolzqgs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_bdee5e351d4080f6d88d3fb9c6c09c60.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4832 -
C:\Users\Admin\AppData\Local\Temp\mvsejo.exe"C:\Users\Admin\AppData\Local\Temp\mvsejo.exe" "-C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\mvsejo.exe"C:\Users\Admin\AppData\Local\Temp\mvsejo.exe" "-C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵
- Suspicious use of WriteProcessMemory
PID:5932 -
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5348 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵
- Executes dropped EXE
PID:700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵
- Executes dropped EXE
PID:2300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe2⤵
- Executes dropped EXE
PID:3640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:5768 -
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵
- Executes dropped EXE
PID:2460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵
- Executes dropped EXE
PID:1656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵
- Executes dropped EXE
PID:3400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5388 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵
- Executes dropped EXE
PID:3684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵
- Executes dropped EXE
PID:4048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵
- Executes dropped EXE
PID:5404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe .1⤵PID:2396
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5876 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fzheukerlpldkubey.exe*."3⤵
- Executes dropped EXE
PID:848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵PID:5992
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵
- Executes dropped EXE
PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe .1⤵PID:5464
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fzheukerlpldkubey.exe*."3⤵
- Executes dropped EXE
PID:2816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵
- Executes dropped EXE
PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:1852
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:5164
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵
- Executes dropped EXE
PID:6088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵
- Executes dropped EXE
PID:6112 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:1604
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵
- Executes dropped EXE
PID:4676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:5248
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵
- Executes dropped EXE
PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:5740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1020
-
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵
- Executes dropped EXE
PID:3992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵
- Executes dropped EXE
PID:5936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:4548
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵
- Executes dropped EXE
PID:4876 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵
- Executes dropped EXE
PID:2040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵
- Executes dropped EXE
PID:4232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:912
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵
- Executes dropped EXE
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵
- Executes dropped EXE
PID:5928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe1⤵PID:4800
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe2⤵
- Executes dropped EXE
PID:1736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵
- Executes dropped EXE
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵
- Executes dropped EXE
PID:3640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:3924
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵
- Executes dropped EXE
PID:3980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:5944
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵
- Executes dropped EXE
PID:6004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:5508
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵
- Executes dropped EXE
PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:4736
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵
- Executes dropped EXE
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵
- Executes dropped EXE
PID:4492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe1⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe2⤵
- Executes dropped EXE
PID:5616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵
- Executes dropped EXE
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵
- Executes dropped EXE
PID:1028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:672
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵
- Executes dropped EXE
PID:2640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵
- Executes dropped EXE
PID:5620 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe1⤵PID:5372
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe2⤵
- Executes dropped EXE
PID:4256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:2996
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:748 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ojsqhythchexfqycxi.exe*."3⤵
- Executes dropped EXE
PID:5668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:2880
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵
- Executes dropped EXE
PID:4432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:4088
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵
- Executes dropped EXE
PID:6092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:2952
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵
- Executes dropped EXE
PID:5632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe .1⤵PID:792
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe .2⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fzheukerlpldkubey.exe*."3⤵PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:1968
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:5972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe1⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe2⤵
- System Location Discovery: System Language Discovery
PID:3360
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:736
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:4996
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵PID:4228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe .1⤵PID:2548
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fzheukerlpldkubey.exe*."3⤵PID:4360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:2568
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:1020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:5828
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵PID:5940
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:4892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3860 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵PID:3652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:4368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:5428
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:2332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:4524
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:1456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:1716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:3920
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:3396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5536 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:3180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:4972
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:1040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵PID:5320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:2016
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵PID:4240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:4000
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ojsqhythchexfqycxi.exe*."3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:3540
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:5380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:756
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:588
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:4964
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:5620
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:728
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:468 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:2416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:3940
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵PID:4496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:3760
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:4052
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:4088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:5412
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6128 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:3868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe1⤵PID:2192
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe2⤵PID:3616
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:3288
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:5444
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:5008
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5532 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵PID:1304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe1⤵PID:4952
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe2⤵PID:4552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .1⤵PID:3356
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zvfewokzvbztcoxcykg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:4596
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:5928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe .1⤵PID:5080
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fzheukerlpldkubey.exe*."3⤵PID:656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:5468
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:2928
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:4068
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:3832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:2024
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:1456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵PID:5944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe1⤵PID:4504
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe2⤵PID:5500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:3908
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:5616
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:5252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:1776
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:5976
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:5968
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:3532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:2676
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:700 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:1772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:4792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5380 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:4668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe2⤵PID:3780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .1⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .2⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zvfewokzvbztcoxcykg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:2724
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:3376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:4496
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:2964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:3428
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:6140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:3044
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6092 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:1468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:1168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .1⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .2⤵PID:6056
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zvfewokzvbztcoxcykg.exe*."3⤵PID:4216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:488
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:3492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵PID:4444
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe1⤵PID:5960
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe2⤵PID:1020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:4832
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:3356
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:5496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:4860
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:5936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:4732
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:5676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵PID:2204
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵PID:3996
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵PID:5916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:5500
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:1528
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵PID:1604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:2432
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:3272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵PID:1936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵PID:2676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5192 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:4668
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:5600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:3684
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe1⤵PID:1172
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe2⤵PID:1932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:928
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:1472
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:2032
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ojsqhythchexfqycxi.exe*."3⤵PID:3364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:4540
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:5420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:1944
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4496
-
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3732 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:5332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:504
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:5548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:968
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:5412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:5060
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:2492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:3360
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5444 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:4912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵PID:3964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:5788
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵PID:932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:5744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:5376
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:3396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe2⤵PID:1236
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵PID:5196
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:2160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe1⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe2⤵PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:220
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:5844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:2388
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:5704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵PID:1596
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵PID:1604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe .1⤵PID:4152
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe .2⤵PID:2088
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fzheukerlpldkubey.exe*."3⤵PID:1264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:3180
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:3076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:5356
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:5508
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:2968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵PID:3400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:3684
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:2416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:4864
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:4396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵PID:6092
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵PID:3364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:4032
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:5164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:2192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .1⤵PID:5720
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .2⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zvfewokzvbztcoxcykg.exe*."3⤵PID:5464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:428
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:2140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:932
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:4980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:736
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:6112 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ojsqhythchexfqycxi.exe*."3⤵PID:1132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:1696
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:2568
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5824 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:2332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:4788
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵PID:4612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:4376
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵PID:4984
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:3832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe1⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe2⤵PID:3640
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .1⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zvfewokzvbztcoxcykg.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:6028
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:5568
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:2312
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:1836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:5804
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:1684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:1376
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5884 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:3688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:2016
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5648 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:1208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe1⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe2⤵PID:2596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵
- System Location Discovery: System Language Discovery
PID:5468 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe1⤵PID:5484
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe2⤵PID:584
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:4256
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:5552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:2964
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:1072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe .1⤵PID:1808
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe .2⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fzheukerlpldkubey.exe*."3⤵PID:3968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe1⤵PID:3884
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe2⤵PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:5932
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:2688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:5972
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵
- System Location Discovery: System Language Discovery
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:5172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:6032
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:4556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:4912
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:4560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵PID:5788
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵PID:4588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:3992
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:2568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:3848
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:5836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe1⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe2⤵PID:4688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:2860
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:3736
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ojsqhythchexfqycxi.exe*."3⤵PID:5768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:1836
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:3960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:1736
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵PID:5320
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ojsqhythchexfqycxi.exe*."3⤵PID:3228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:2312
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:5804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:700
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:4000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵PID:5828
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:2812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:4132
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:4884
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵PID:5176
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:3148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe1⤵PID:1792
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe2⤵PID:5552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:4196
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4540
-
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:3892
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:2996
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ojsqhythchexfqycxi.exe*."3⤵PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:4864
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:5876
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:2816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:2032
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:5720
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:3384
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:5952
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:4952
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:3712
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ojsqhythchexfqycxi.exe*."3⤵PID:2568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:2764
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:3564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:6112
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:4092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:1176
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4368
-
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵PID:2608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:4948
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3672
-
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵PID:5456
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵PID:5724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:4204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:4588
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵PID:5792
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:3924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:3080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:3516
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:5080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵PID:248
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:2088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵PID:492
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵PID:1264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:1040
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:3588
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵PID:6080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:5544
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵PID:6004
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵PID:1452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:1596
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:2528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:2016
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:1376
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:3544
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵PID:5380
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:3540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:2640
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:1284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:364
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵PID:5500
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:5608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵PID:4668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .1⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .2⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zvfewokzvbztcoxcykg.exe*."3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:5668
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:4256
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:4540
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:1944
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:4696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:6024
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:2996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .1⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .2⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zvfewokzvbztcoxcykg.exe*."3⤵PID:656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:5652
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:3756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:1676
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵PID:2492
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:1068
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵PID:5924
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:5328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵PID:5092
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:4556
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:3832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:4984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .1⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .2⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zvfewokzvbztcoxcykg.exe*."3⤵PID:5416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:3924
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵PID:4452
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:4592
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:3588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:4068
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:3228
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:1380
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:4896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:4408
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵PID:128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:2312
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:1076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵PID:4528
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:1164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:6108
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .1⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .2⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zvfewokzvbztcoxcykg.exe*."3⤵PID:5600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:4892
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:1436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4908
-
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:1112
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:3812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:2060
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵PID:5164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵PID:5504
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵PID:3364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:3968
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ojsqhythchexfqycxi.exe*."3⤵PID:1108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:5720
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵PID:4072
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ojsqhythchexfqycxi.exe*."3⤵PID:5652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe2⤵PID:3828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:1140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:1944
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:4596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe1⤵PID:3964
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe2⤵PID:5040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:3004
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5444
-
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:4836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:5264
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:5960
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:3564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:4024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵PID:4100
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:3556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵PID:4812
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:1104
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:3752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:3832
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:3996
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:2660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe1⤵PID:4224
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe2⤵PID:1948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:3768
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3992
-
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵PID:4592
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:4348
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵PID:4588
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:1636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵PID:5824
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:5196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe1⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe2⤵PID:492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:4896
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵PID:5968
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵PID:2752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:4476
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵PID:1652
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:4536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵PID:5688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4676
-
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵PID:3652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:5380
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:4880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:4292
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵PID:3192
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵PID:5656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:4776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .1⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .2⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zvfewokzvbztcoxcykg.exe*."3⤵PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:1792
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:5504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe .1⤵PID:1204
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:848
-
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe .2⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fzheukerlpldkubey.exe*."3⤵PID:1108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:3828
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:4088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:1072
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2816
-
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:5396
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:2188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:656
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe1⤵PID:1132
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe2⤵PID:5248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:2832
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2396
-
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:3260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe1⤵PID:1584
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe2⤵PID:6032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe .1⤵PID:2500
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe .2⤵PID:872
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fzheukerlpldkubey.exe*."3⤵PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:6020
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:6036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:2456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4420
-
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ojsqhythchexfqycxi.exe*."3⤵PID:2764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe1⤵PID:4092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5972
-
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe2⤵PID:4444
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:4328
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵PID:5964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe1⤵PID:248
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe2⤵PID:1696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:5824
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵PID:5412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:2940
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:2860
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:3812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵PID:4688
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵PID:2160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:3600
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1656
-
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:1936
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:1452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe1⤵PID:1376
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe2⤵PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:2836
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe1⤵PID:4240
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe2⤵PID:5988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:5832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe1⤵PID:5320
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe2⤵PID:3056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:1032
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵PID:808
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:5420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:2724
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵PID:832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:2060
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵PID:6092
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:5504
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:2340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:5716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:3828
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:4572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:5908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:3680
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:4024
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:2424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:5060
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:2020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe .1⤵PID:4084
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe .2⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fzheukerlpldkubey.exe*."3⤵PID:920
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:2928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵PID:2648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:5680
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:2144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:4100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:4064
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:2024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:4980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2332
-
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:4644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe1⤵PID:5076
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe2⤵PID:2948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:4556
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1456
-
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵PID:2328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:5104
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ojsqhythchexfqycxi.exe*."3⤵PID:1300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:764
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:2272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:5412
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:4228
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:3156
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:4212
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵PID:5884
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:5756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:5616
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:4536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:3076
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵PID:1556
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\ojsqhythchexfqycxi.exe*."3⤵PID:6012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe1⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe2⤵PID:5980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:5688
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:4792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:588
-
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵PID:2852
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:3376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:2260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:4088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:3520
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵PID:1436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:904
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:2880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe1⤵PID:3684
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe2⤵PID:1984
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:2564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .1⤵PID:2840
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .2⤵PID:3804
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zvfewokzvbztcoxcykg.exe*."3⤵PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:2996
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:3756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:5084
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:5772
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:780
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:2512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:728
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe1⤵PID:5476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3132
-
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe2⤵PID:6044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe .1⤵PID:2928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5936
-
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe .2⤵PID:2688
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\mjuungdtqxwrboyebolw.exe*."3⤵PID:5748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:4164
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:2500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .1⤵PID:5752
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe .2⤵PID:5796
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\yryujyrdwzulragi.exe*."3⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:1740
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:2764
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:2492
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3712
-
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:2216
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:3996
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:3980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:4372
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵PID:1836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:4796
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:2272
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:736
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:6004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:4544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:2944
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:4748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .1⤵PID:2016
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .2⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zvfewokzvbztcoxcykg.exe*."3⤵PID:3544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:1452
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵PID:2108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:5108
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵PID:2116
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:3588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:1772
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:1596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe .1⤵PID:3736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:5940
-
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe .2⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:2416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe1⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe2⤵PID:3148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:5472
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:4392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:3644
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:5364
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .1⤵PID:1028
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe .2⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\ojsqhythchexfqycxi.exe*."3⤵PID:4300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:696
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:1224
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:4620
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:4664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe1⤵PID:220
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe2⤵PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:4572
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:1108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:2992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .1⤵PID:5504
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4216
-
-
C:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exeC:\Users\Admin\AppData\Local\Temp\fzheukerlpldkubey.exe .2⤵PID:780
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\fzheukerlpldkubey.exe*."3⤵PID:4888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:2428
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:2568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe1⤵PID:4156
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe2⤵PID:4084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe .1⤵PID:3312
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe .2⤵PID:1508
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fzheukerlpldkubey.exe*."3⤵PID:5456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:6036
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:5372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c fzheukerlpldkubey.exe .1⤵PID:1048
-
C:\Windows\fzheukerlpldkubey.exefzheukerlpldkubey.exe .2⤵PID:6080
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\fzheukerlpldkubey.exe*."3⤵PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe1⤵PID:5908
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe2⤵PID:4104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:4152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:3768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .1⤵PID:1572
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3960
-
-
C:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exeC:\Users\Admin\AppData\Local\Temp\mjuungdtqxwrboyebolw.exe .2⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\mjuungdtqxwrboyebolw.exe*."3⤵PID:6028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mjuungdtqxwrboyebolw.exe1⤵PID:5452
-
C:\Windows\mjuungdtqxwrboyebolw.exemjuungdtqxwrboyebolw.exe2⤵PID:492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c yryujyrdwzulragi.exe .1⤵PID:2940
-
C:\Windows\yryujyrdwzulragi.exeyryujyrdwzulragi.exe .2⤵PID:4976
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\yryujyrdwzulragi.exe*."3⤵PID:912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bzlmgaypnvvrcqbigusef.exe1⤵PID:1264
-
C:\Windows\bzlmgaypnvvrcqbigusef.exebzlmgaypnvvrcqbigusef.exe2⤵PID:3600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe .1⤵PID:4348
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe .2⤵PID:5944
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\windows\zvfewokzvbztcoxcykg.exe*."3⤵PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe1⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exeC:\Users\Admin\AppData\Local\Temp\ojsqhythchexfqycxi.exe2⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .1⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exeC:\Users\Admin\AppData\Local\Temp\zvfewokzvbztcoxcykg.exe .2⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\zvfewokzvbztcoxcykg.exe*."3⤵PID:3540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe1⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exeC:\Users\Admin\AppData\Local\Temp\yryujyrdwzulragi.exe2⤵PID:1684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exeC:\Users\Admin\AppData\Local\Temp\bzlmgaypnvvrcqbigusef.exe .2⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe"C:\Users\Admin\AppData\Local\Temp\gwijnolzqgs.exe" "c:\users\admin\appdata\local\temp\bzlmgaypnvvrcqbigusef.exe*."3⤵PID:2384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c zvfewokzvbztcoxcykg.exe1⤵PID:3348
-
C:\Windows\zvfewokzvbztcoxcykg.exezvfewokzvbztcoxcykg.exe2⤵PID:3056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ojsqhythchexfqycxi.exe .1⤵PID:5608
-
C:\Windows\ojsqhythchexfqycxi.exeojsqhythchexfqycxi.exe .2⤵PID:2788
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD595d307b9ddd446b498669e9fa0b3986f
SHA10fa3c14f538683f58bab8810737146c19021f1c3
SHA2563feaa30ff4799545e008aeda6f2c9d1933bd4c2ce6deb2d86313aa0c7861a5d4
SHA5122eaf8c891caf7c2f39a0ebc71441c801d6c86f7f89914674c7aff1508a7453f213a0924ac32c218548237dfcfaba9f494f6d37d2a8c7b0b7d141168aaf81aba5
-
Filesize
280B
MD58dfc36df30478e35e1945017feb046c2
SHA1f6c4cd5b1315a6d10b638b38e5c8f8ca775c6d52
SHA25604a2809e0b8e58ad7d3ec0886fe22430f13154e4c999ba1c70422a21d68d795c
SHA512003aaf1e2a02c97377d5d4f0de162cf647571317c00cc2f1ddb724703346ba9940e1fd992c18131132635c1401f4275572763c8f0068664926f082893884f7cf
-
Filesize
280B
MD53c7d8fff5b7d82190628b0535f6f5f1e
SHA1aa7c1a6c2946cffacb7ef0857d42ca84b9a50412
SHA256b41496d424dc6fa4cd3b09db70ec7917d42386c7f6f05e41d9038a9675f225b0
SHA512de79a96745f6449a18ccd89aeef38a058f0a20edfcd4a6eb54bc6bd06d534ce1e58f82158e1fef0776a899d8b9d1265451acec0ae73b4a01d28f77fff3909163
-
Filesize
280B
MD500f6e949d4f88631907c456c84afef39
SHA17d273165af294bbcd13259b471a51d23648abf7e
SHA2560fb37f0c058b3fa8276c50b64d9e76f857812c9c65ad6c2e951d7f407ae6f2da
SHA51257a133b9c1f410a1bc0ed74422d1814f54b2260bc982f716715a34ad75e88ef26180331d3754de8459d78449c3d2b32b2d3843558d2bcd5e0cba159f43350b53
-
Filesize
280B
MD589976eddd1ec49719dbf87b636ee6526
SHA163c8b6e6c08e3557e13f7d0e3ad21318d87462db
SHA256244ac0a9ba4d54aad39d5d4f10afe74404a42c64812ecf39a9a1ca34fcf8abed
SHA5122a6504474fa8a4988f97246617dd08669da7b7d11fe577d4e51f1987de23bed270ad21bb689a8060dda96314b65ce885842b4cf6a9a4163ee97b3a119970b73e
-
Filesize
280B
MD5ba14d975a65874b1f7ddf4a72c4b625e
SHA1165ea8777d8851e9a483f4d464e209fc45782b6d
SHA256557c82d450b2968bb470c09a8cf0e07cad7f8b0b67e8dc9dc4516a1637c02c4f
SHA512f351091dc91bae7de14fa4a5a2aa61f029ba35f1b752a3a2e3242fc40342ccd647c4b4614f8f57eb8610ca7b6e93fb35f73b52b32bb0d7a23998af09d34a6b8f
-
Filesize
320KB
MD5d58cc07de62a1188e63291451b9de901
SHA1058c85e32d1d64ce9b04a35ffdb77bb5eb0421de
SHA25632608031ec0164118a9f2c5620f6f7fa4b8ffb32d1f4d2be0f7f2fd8bd2c2e52
SHA512706b50d2101e600609c35b04efda6a00244426af9a7787405237983af678337d322e3e516c9c0857702b36800d244b73fbf7d55847afe46771fe927c25b6dd99
-
Filesize
704KB
MD5bd122bdeaf4e60238d7257d330720e6f
SHA1c7ff169684b2cab39ee09be9a7e5408e627a924d
SHA256aae7baeb2ee7e34d3b84af4a4706c7d7261833e356d2c1a01718a4ecf7bf2b21
SHA512e3a94ba919f6a79bdf3ad33c680f798ee2c29a699b602bd13740e7d58286da9e42d2a9314c1a11eb9ec5a34bb82311e68a6a5312e8cc3a09603cbe1b024c6829
-
Filesize
280B
MD51e08b94dfc368b18beaf0e8fbd304d96
SHA1f87e7648ad39438802de2eabe3331d99abf7352f
SHA2569eaafcfa09d8e4f3d4ce3e013a082460aa03fe231f67cb5a1f48db8fb5b59029
SHA5123d3ecb4927c2a473d5cd0c489717a289d8858a361a9652e1d0152881abe4dc3f69d74850a03d9bbe6ebc15d5d3e4e351a27c42c35c101610609eac8cc039346a
-
Filesize
4KB
MD5c4bae1849407095acc3bd259f2da73be
SHA1a8b47e5c0f34c6b30c103117876d8db7c2a7443a
SHA25679e03f972fa6005669fd2c2d9fc03f02447903dbec51244ba0f9619c7d628377
SHA51291374c0495d31cc6e12c36542ec6221d82f6c715f9903ea7e2a2eba10f210f5a56cac8bc7e390a1edade335cdbc10253fc24f4184bcc793e14c34d0c95869a43
-
Filesize
1016KB
MD5bdee5e351d4080f6d88d3fb9c6c09c60
SHA1f8b229a69b7b932ffb0ac6d71aec90137c583a18
SHA25604d3522972566a2b189144c86441058f1af5641a67cdaf39e246f91ba23bf5c5
SHA51235c3b392784ac85f9794e1eb75d55e9d651e2f13782175791eeb07fef86f5360f681e3e0be9d8fe0c6b1495ed4edd07e6eaec2f2c46c5026faa812fb0858842b